AbuseIPDB integrated to Suricata on pfSense
-
Has anyone done: Integrating AbuseIPDB with Suricata - Automatically Block Bad IPs
https://www.abuseipdb.com/suricata
looks like you need lua and that is not a package for pfSense.
-
@jobee
Hi, thank you for bringing this to communities attention.
Unless bmeeks changes his policy (I understood he follows the upstream suricata releases, see here), this doesn't look like something that will come to suricata anytime soon.I've been looking at the abuseipdb website, and noticed they have an API. I wonder if it is possible to retrieve the bad IP's and add these addresses (the list) to pfBlockerNG. I'm using pfBlockerNG (only the IP part) and have been adding the talos list (wget), in attempt to increase protection.
Again, I wonder why there is an IPv4 list only, while IPv6 is becoming more and more important.
-
Thanks for the note. Guess we will see what @bmeeks decides but the directions provided by abuseipdb seem straight forward and do not seem to alter suricata. I am just not sure about lua
I am getting the abuseipdb in pfBlockerNG. You can create your own groups and add your own custom feeds and you do use the API.
-
@jobee Hello, i'm searching how i can also add abuseipdb in pfsense, in pfblockerNG or Suricata.
Did you have success with this ? Can you give some directions ?
-
I came with the same Idea, and I coded someting in bourne shell (sh), feel free to test if this works for you:
https://www.gueudier.fr/pfsense-appliance-suricata-abuseipdb/
-
@bambos Not sure if you got the response you were looking for below. Or if anyone else is looking for a solution similar. I am using pfBlockerNG and was looking for a quick way to just add the IP's to a feed as well. The script I created was just run in cron a few times a day and updated a feed that got picked up by pfBlockerNG.
Feel free to use modify the code to meet your needs.
https://brian.thecadwells.net/2021/11/13/integrating-abuseipdb-into-pfblockerng/
-
You can create a feature request for pfBlockerNG / Suricata AbuseIPDB support:
https://docs.netgate.com/pfsense/en/latest/development/feature-requests.html -
@viktor_g , thank you for yourreply. As much as this would be a cool feature, I'm not sure this is exactly how AbuseIPDB is intended to be used. The idea is to give as you get. The script above is only 1/2 that. I would need to give some thought to what requirements would need to be met for a feature request to make sense. I think integrating fail2ban into pfsense in some form may be more appropriate. Even that that is problematic when you have an appliance for a firewall and separate hosts for services. Again the solution above was just shared as a possible solution to my particular problem.
Have a great day!
-
I read the link back to AbuseIPDB posted in one of the replies in this thread. I don't really see how this fits into the general Suricata use case on pfSense. Sure Suricata can load up some IP list (providing it's in the correct format as specified for IP reputation lists), but the binary has no method of feeding anything back to the AbuseIPDB eco-system.
The best you can do is scrape the text logs, but in my opinion you should not be doing all that work on your firewall. I say that because invariably such tools want to drag in all kinds of dependent packages, and each dependent package you add is a potential attack vector. You increase the attack surface of your firewall and thus reduce security. Better in my view to export the firewall and Suricata logs to an external SIEM type system, and then do your log scraping and reporting from there. That system could also report things back to AbuseIPDB.
In the IT Security world I came from, your firewall has one job. And that job is keeping external traffic out (unless explicitly allowed in), and controlling what internal traffic can go where. Reporting, pretty graphs, and all that GUI fluff should be handled on an external system that is not the firewall.
